The Data Protection Act 1998 (DPA) defines personal information as any information that can be used to identify an individual. Individuals can be identified by various means including their name, address, telephone number, email address or other identifying information.
The reasons I process your personal information
My contractual obligation to you as a psychotherapist is the lawful basis for my processing of your personal information. In order to fulfil this obligation, I need to assess whether or not I am able to offer you psychotherapy after you contact me and then I need to be able to deliver effective psychotherapy to you once the therapy commences. The personal information I collect from you helps with my assessment process and my clinical decision-making during psychotherapy. I will also use the information that I collect about you in order to develop a better psychotherapy website service.
The laws that protect your personal information
The DPA and the General Data Protection Regulation (GDPR) require that all organisations that store personal information about people may only do so provided the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed; and processed in a manner that ensures appropriate security of the personal information.
How I collect your personal information on Initial Contact
How I collect your information in following sessions
If we commence work together, I collect your information in various ways. This can either be face to face in sessions, online sessions using Zoom, Skype or FaceTime, via email exchange in between sessions or phone and text messages in between sessions.
How I treat your personal information
The lawful and proper treatment of your personal information is important to me and I treat your personal information in a way that is compliant with the DPA and the GDPR.
How I store your personal information
I store your personal information both electronically and physically. All electronic devices, software packages and documents used to store information are password protected. The software system I use for storing your case notes is GDPR compliant and uses end-to-end 256-bit encryption. Any paperwork with your details on it, is stored securely in a lockable filing cabinet.
I do not share my devices or passwords with anyone else, other than the therapist who is the executor of my ‘Professional Will’. She has the password for a document that contains the contact details for all of my current clients and has permission to use this in the event of my death and/or serious illness. She also has relevant passwords for my devices so that she can manage what is necessary in the event of my death and /or serious illness.
If we use online platforms such as Skype, Zoom or FaceTime, the details you use to make contact are stored, but I do not store any therapy related information on these platforms. I do not record phone or Skype, Facetime or Zoom sessions.
For more information on the Privacy Policies of Zoom, Skype (Microsoft) and FaceTime (Apple), please see below:
I clear my downloads related to client information on all devices when I am not actively making use of those downloads.
Storing of your personal information
According to the GDPR, your personal information should be stored for no longer than is necessary. I will store your information for 6 years following the end of your contract with me. However, I may need to store your information for longer than this, for instance in order to defend myself in a claim situation, or if the terms of my Professional Insurance change and require me to do so.
What information I collect about you
Before committing to provide you with psychotherapy services, I will collect the following information from you, either by telephone or email, depending on how we make initial contact: name, telephone number, email address, availability, and some information about the issues and symptoms you would like to address.
Once we have agreed to work together and your therapy begins, I will collect further information from you that may include: date of birth, family details and history, relationship status, mental and physical health overview, GP and other health care providers contact details, previous therapy experiences, previous criminal convictions, network of support, financial and employment circumstances, appetite and sleep, family structure, goals for therapy. Any ongoing information I collect will be relevant to our psychotherapy contract.
Sensitive information is defined by the GDPR as being information that is more sensitive than other personal information. Examples of this type of information could include information about your physical or mental health, race, sexuality, cultural background, sex life, or religion. In order to lawfully process sensitive information, I am obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. The GDPR condition that I apply to the processing of this sensitive information is that it is ‘pursuant to contract with a health professional’. This means that, if you begin psychotherapy with me, or ask me to assess whether or not you are eligible for me to offer psychotherapy to you, then I will likely need to process some sensitive information about you. Usually, this is information about your mental health, and I need to process it in order to fulfil my contractual obligations to you in delivering safe, effective psychotherapy.
What do I use your information for?
I may need to ask you about some of the above information so that I can provide Psychotherapy to you in a way that meets your specific needs and so that I can make safe, effective and ethical decisions in our work together.
With regards personal and sensitive information, I do not need to keep a written record of everything you share with me. I keep my note taking outside of sessions to a minimum.
There are of course some things that I must, legally, have a written record of, if it is in direct relation to your safety or the safety others, such as emergency contact information, or information related to suicide risk, child protection, domestic abuse, or other violent crime, or should I ever need to account for my clinical decisions and/or respond to complaints.
‘Data controller’ information
The GDPR defines a ‘data controller’ as the person in an organisation who: ‘determines the purposes and means of processing personal data’. For the purposes of the GDPR, the ‘data controller’ in Oxford Counselling & Psychotherapy is Lizzie Kelly, 30 Beaumont Street, Oxford, OX1 2NY. I am registered with the Information Commissioners Office (ICO).
Other information I collect
I collect and process information about individuals necessary for the operation of my business. This includes clients, staff, colleagues, suppliers and other business contacts.
Who I share your information with
Whilst I am committed to confidentiality in our work together, I also have legal and ethical responsibilities, which means that I may have to break confidentiality in very specific circumstance, as follows:
Where there is a risk or perceived risk of serious harm to the client or another identifiable person
Under any Court Order, I may be required to share my notes or attend Court with my notes
Under The Terrorism Act 2000, it is a criminal offence for a person to fail to disclose, without reasonable excuse, any information which they either know or believe might help prevent another person carrying out an act of terrorism or might help in bringing a terrorist to justice in the UK.
Under s.21 of the Road Traffic Act 1991 - if the police require information about the driver of a vehicle at the time of an offence, it must be disclosed, and failure to do so is a criminal offence.
Under The Drug Trafficking Act 1994 requires disclosure of information concerning anyone making money through drug trafficking
Money Laundering Regulations 2007
Under the Serious Crime Act 2007, the courts can make a Serious Crime Disclosure Order requiring a person in possession of information or documents relevant to an enquiry about a serious crime to disclose them to anominated person, usually a police officer, or to the court. Also, the balance of public interest favours the prevention and detection of serious crime over the protection of confidences.
Under the Female Genital Mutilation (FGM) Act 2003 (as amended by section 74 of the Serious Crime Act 2015), there is a mandatory reporting duty to disclose information about FGM that has been carried out or disclosed on any female under the age of 18 years of age.
Under The Children Act 1989, in conjunction with subsequent legislation including the Children Act 2004, I have a statutory duty to co-operate with local authorities in child protection. There is a statutory duty to work together with other organisations, including information sharing, in conducting initial investigations of children who may be in need, or be subject to abuse and in the more detailed core assessments carried out under s.47 of the Children Act 1989. Child abuse includes physical, emotional or sexual abuse and also applies to children living in a home in which domestic violence occurs, where the abuse on the child may be indirect. The courts can also order disclosure of information in other circumstances.
In other circumstances, I may share some of your personal information with you GP or other healthcare professionals and organisations that you are linked to. Sometimes, this may follow a direct request from you. At other times, it may be something I suggest to provide the best care. I would always discuss this with you first to seek your consent, unless there is a serious risk of harm to yourself or others, as noted above.
All payments made to me online will identify your details to my bank and my tax accountant.
If we commence work together, your name and contact details are provided in a password protected document to the Executor of my Professional Will, as noted above.
Some of your personal information may be shared with third party operators engaged in providing services to my business such as my website provider or other business systems. These operators also have privacy policies, which are available on request.
What to do if you want a copy of the information I hold about you
You have the right to find out what information I store about you by requesting a copy of it. You can write to me at the contact details below, and ask for a copy of the information that I hold about you. I must respond to your request without delay, and usually within one month at the latest. I may charge a fee for providing this information if it is repetitive.
Users may exercise certain rights regarding the processing of Personal Data by the Owner.
Right to withdraw your consent any time. You have the right to withdraw your consent where you have previously given your consent to the processing of your Personal Data.
Right to object to the processing of your Data. You have the right to object to the processing of your Data if the processing is carried out on a legal basis other than consent.
Right to access your Data. You have the right to learn if Data is being processed by the 'Data Controller' and obtain a copy of the Data being processed.
Right to verify and seek rectification. You have the right to verify the accuracy of your Data and ask for it to be updated or corrected.
Right to restrict the processing of your Data. You have the right, under certain circumstances, to restrict the processing of your Data. In this case, the 'Data Controller' will not process your Data for any purpose other than storing it.
Right to have your Personal Data deleted. Users have the right, under certain circumstances, to obtain the erasure of their Data from the 'Data Controller'. However, I
Right to receive their Data and have it transferred to another controller.Users have the right to receive their Data and, if technically feasible, to have it transmitted to another controller without any hindrance.
Right to object. Users have the right to bring a claim before their competent data protection authority.
How to exercise your rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be free of charge and will be addressed by the Owner within one month. You can request for your personal information to be deleted either verbally, or in writing at the contact details below. I may also have the right to refuse to comply with your request, for example in order to defend myself in a claim situation, or to comply with my insurance terms and conditions, and I will let you know my response to your request within one month of receiving it.
If you wish to object or complain about the way that your personal information is being handled by me, then please contact me below I will do my best to address your concerns and take steps to try and resolve whatever issues you may raise. Should you wish to take the matter further, please contact the Information Commissioner’s Office on 0303 123 1123, or visit for more information.
Contact Details: Lizzie Kelly, Oxford Counselling & Psychotherapy, 30 Beaumont Street, Oxford, OX1 2NY
DEFINITIONS AND LEGAL REFERENCES
Personal Data (Data)
Any information that directly, indirectly, or in connection with other information — allows for the identification of a natural person.
Information collected automatically through this website which can include: the IP addresses or domain names of the computers utilised by the Users who use this website, the time of the request, the method utilised to submit the request to the server, the country of origin, the browser and the operating system, the time details per visit and the path followed within the website and other parameters about the device operating system and/or the User's computer environment.
The individual using this website who, unless otherwise specified, coincides with the Data Subject.
The natural person to whom the Personal Data refers.
Data Controller (or Owner)
The Data Controller, unless otherwise specified, is the Owner of this Website.
The means by which the Personal Data of the User is collected and processed.
The service provided by this website as described on this site.
European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.
A small piece of Data stored in the User's device.